From 9420e1556317e67f7f2baa4871df9a9967dcc240 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 8 Jun 2022 17:34:40 -0700 Subject: [PATCH 1/4] PKI: Add support for CPS URL in custom policy identifiers Update the `vault_resource_pki_secret_backend_role` to support specifying the CPS URL when specifying policy identifiers in line with the recent changes to the PKI Secrets Engine in Vault 1.11: https://github.com/hashicorp/vault/pull/15751 We do this by deprecating the existing `policy_identifiers` argument and creating a new block, `policy_identifier`, which can be specified multiple times. If both `policy_identifiers` and `policy_identifier` blocks are present, then `policy_identifier` is ignored. (Otherwise, refreshing would delete one or the other, and the state wouldn't have round trip stability.) This was also tested locally with, for example, a terraform file like: ```hcl provider "vault" { } resource "vault_mount" "pki" { path = "pki" type = "pki" default_lease_ttl_seconds = 3600 max_lease_ttl_seconds = 86400 } resource "vault_pki_secret_backend_role" "role" { name = "example-dot-com" backend = vault_mount.pki.path allowed_domains = ["example.com"] allow_subdomains = true allow_bare_domains = true allow_glob_domains = true allow_ip_sans = true allow_localhost = "true" generate_lease = true organization = ["Hashi test"] country = ["USA"] locality = ["Area 51"] province = ["NV"] max_ttl = "720h" policy_identifiers = ["2.5.29.32","1.2.3"] // or policy_identifier { oid = "2.5.29.32" cps = "https://example.com/cps" notice = "Some notice" } policy_identifier { oid = "1.2.3" } } ``` --- vault/pki.go | 79 +++++++++++++++++++ vault/resource_pki_secret_backend_role.go | 58 +++++++++----- .../resource_pki_secret_backend_role_test.go | 62 ++++++++++++--- .../docs/r/pki_secret_backend_role.html.md | 13 ++- 4 files changed, 179 insertions(+), 33 deletions(-) create mode 100644 vault/pki.go diff --git a/vault/pki.go b/vault/pki.go new file mode 100644 index 000000000..ae1147f0d --- /dev/null +++ b/vault/pki.go @@ -0,0 +1,79 @@ +package vault + +import ( + "encoding/json" + "log" + "strings" + + "github.com/hashicorp/terraform-provider-vault/helper" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +// readPolicyIdentifiers converts the `policy_identifiers` list and `policy_identifier` blocks +// into a list of strings (the OIDs) or the JSON serialization of the `policy_identifier` blocks, +// respectively. +func readPolicyIdentifiers(d *schema.ResourceData) interface{} { + policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) + policyIdentifierBlocks := d.Get("policy_identifier").(*schema.Set) + policyIdentifiers := make([]string, 0, len(policyIdentifiersList)) + var newPolicyIdentifiers []map[string]interface{} + + // If the `policy_identifier` blocks are present, send them as JSON, which is only supported by Vault 1.11+. + if policyIdentifierBlocks != nil && policyIdentifierBlocks.Len() > 0 { + newPolicyIdentifiers = make([]map[string]interface{}, 0, policyIdentifierBlocks.Len()+len(policyIdentifiers)) + for _, iPolicyIdentifier := range policyIdentifierBlocks.List() { + policyIdentifier := iPolicyIdentifier.(map[string]interface{}) + newPolicyIdentifiers = append(newPolicyIdentifiers, policyIdentifier) + } + + if policyIdentifiersList != nil && len(policyIdentifiersList) > 0 { + log.Printf("[WARN] vault_pki_secret_backend_role policy_identifier and policy_identifiers should not both be used; ignoring legacy policy_identifiers") + } + + // we know these maps are safe to marshal + policyIdentifiersJson, _ := json.Marshal(newPolicyIdentifiers) + return string(policyIdentifiersJson) + } else if policyIdentifiersList != nil && len(policyIdentifiersList) > 0 { + for _, iIdentifier := range policyIdentifiersList { + policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) + } + return policyIdentifiers + } else { + return nil + } +} + +// makePkiPolicyIdentifiersListOrSet converts the Vault "policy_identifiers" response +// into either a list of OIDs, i.e., ["1.2.3","4.5.6"], or a set to represent +// `policy_identifier` blocks. We return either of these so that round-tripping is stable, +// and to preserve backwards compatibility with previous versions of Vault. +func makePkiPolicyIdentifiersListOrSet(rawPolicyIdentifiers []interface{}) ([]string, *schema.Set, error) { + policyIdentifiers := make([]string, 0, len(rawPolicyIdentifiers)) + newPolicyIdentifiers := schema.NewSet(pkiPolicyIdentifierHash, []interface{}{}) + for _, iIdentifier := range rawPolicyIdentifiers { + policyString := iIdentifier.(string) + if strings.HasPrefix(policyString, "{") && strings.HasSuffix(policyString, "}") { + var policyMap = map[string]string{} + err := json.Unmarshal([]byte(policyString), &policyMap) + if err != nil { + return nil, nil, err + } + newPolicyIdentifiers.Add(policyMap) + } else { + // older Vault version with oid-only response + policyIdentifiers = append(policyIdentifiers, policyString) + } + } + + if newPolicyIdentifiers.Len() == 0 { + return policyIdentifiers, nil, nil + } + return nil, newPolicyIdentifiers, nil +} + +func pkiPolicyIdentifierHash(v interface{}) int { + m := v.(map[string]string) + s, _ := json.Marshal(m) // won't fail since we know the argument is a map[string]string + return helper.HashCodeString(string(s)) +} diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index 409796ee8..a8ebc81ba 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -286,11 +286,38 @@ func pkiSecretBackendRoleResource() *schema.Resource { Type: schema.TypeList, Required: false, Optional: true, - Description: "Specify the list of allowed policies IODs.", + Description: "Specify the list of allowed policies OIDs.", Elem: &schema.Schema{ Type: schema.TypeString, }, }, + "policy_identifier": { + Type: schema.TypeSet, + Optional: true, + Description: "Policy identifier block; can only be used with Vault 1.11+", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "oid": { + Type: schema.TypeString, + Required: true, + Optional: false, + Description: "OID", + }, + "cps": { + Type: schema.TypeString, + Required: false, + Optional: true, + Description: "Optional CPS URL", + }, + "notice": { + Type: schema.TypeString, + Required: false, + Optional: true, + Description: "Optional notice", + }, + }, + }, + }, "basic_constraints_valid_for_non_ca": { Type: schema.TypeBool, Required: false, @@ -354,11 +381,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error extKeyUsage = append(extKeyUsage, iUsage.(string)) } - iPolicyIdentifiers := d.Get("policy_identifiers").([]interface{}) - policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers)) - for _, iIdentifier := range iPolicyIdentifiers { - policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) - } + policyIdentifiers := readPolicyIdentifiers(d) iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) @@ -413,7 +436,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error data["ext_key_usage"] = extKeyUsage } - if len(policyIdentifiers) > 0 { + if policyIdentifiers != nil { data["policy_identifiers"] = policyIdentifiers } @@ -488,10 +511,9 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { extKeyUsage = append(extKeyUsage, iUsage.(string)) } - iPolicyIdentifiers := secret.Data["policy_identifiers"].([]interface{}) - policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers)) - for _, iIdentifier := range iPolicyIdentifiers { - policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) + legacyPolicyIdentifiers, newPolicyIdentifiers, err := makePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) + if err != nil { + return err } notBeforeDuration := flattenVaultDuration(secret.Data["not_before_duration"]) @@ -537,7 +559,11 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("generate_lease", secret.Data["generate_lease"]) d.Set("no_store", secret.Data["no_store"]) d.Set("require_cn", secret.Data["require_cn"]) - d.Set("policy_identifiers", policyIdentifiers) + if len(legacyPolicyIdentifiers) > 0 { + d.Set("policy_identifiers", legacyPolicyIdentifiers) + } else { + d.Set("policy_identifier", newPolicyIdentifiers) + } d.Set("basic_constraints_valid_for_non_ca", secret.Data["basic_constraints_valid_for_non_ca"]) d.Set("not_before_duration", notBeforeDuration) d.Set("allowed_serial_numbers", allowedSerialNumbers) @@ -572,11 +598,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error extKeyUsage = append(extKeyUsage, iUsage.(string)) } - iPolicyIdentifiers := d.Get("policy_identifiers").([]interface{}) - policyIdentifiers := make([]string, 0, len(iPolicyIdentifiers)) - for _, iIdentifier := range iPolicyIdentifiers { - policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) - } + policyIdentifiers := readPolicyIdentifiers(d) iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) @@ -631,7 +653,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error data["ext_key_usage"] = extKeyUsage } - if len(policyIdentifiers) > 0 { + if policyIdentifiers != nil { data["policy_identifiers"] = policyIdentifiers } diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index a04fd495e..bd9e7bfc7 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -12,6 +12,17 @@ import ( "github.com/hashicorp/terraform-provider-vault/testutil" ) +var legacyPolicyIdentifiers = `policy_identifiers = ["1.2.3.4"]` +var newPolicyIdentifiers = `policy_identifier { + oid = "1.2.3.4.5" + cps = "https://example.com/cps" + notice = "Some notice" + } + policy_identifier { + oid = "1.2.3.4.5.6" + }` +var mixedPolicyIdentifiers = legacyPolicyIdentifiers + "\n " + newPolicyIdentifiers + func TestPkiSecretBackendRole_basic(t *testing.T) { backend := acctest.RandomWithPrefix("pki") name := acctest.RandomWithPrefix("role") @@ -56,8 +67,6 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "generate_lease", "false"), resource.TestCheckResourceAttr(resourceName, "no_store", "false"), resource.TestCheckResourceAttr(resourceName, "require_cn", "true"), - resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), - resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"), resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), } @@ -67,7 +76,36 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { CheckDestroy: testPkiSecretBackendRoleCheckDestroy, Steps: []resource.TestStep{ { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, legacyPolicyIdentifiers), + Check: resource.ComposeTestCheckFunc( + append(checks, + resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), + resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), + )..., + ), + }, + { + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, newPolicyIdentifiers), + Check: resource.ComposeTestCheckFunc( + append(checks, + resource.TestCheckResourceAttr(resourceName, "policy_identifier.#", "2"), + resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5", "cps": "https://example.com/cps", "notice": "Some notice"}), + resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5.6"}), + )..., + ), + }, + { + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, mixedPolicyIdentifiers), + Check: resource.ComposeTestCheckFunc( + append(checks, + resource.TestCheckResourceAttr(resourceName, "policy_identifier.#", "2"), + resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5", "cps": "https://example.com/cps", "notice": "Some notice"}), + resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5.6"}), + )..., + ), + }, + { + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, legacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "ttl", "3600"), @@ -76,7 +114,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { ), }, { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0, legacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "ttl", "0"), @@ -85,7 +123,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { ), }, { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, legacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "ttl", "3600"), @@ -94,7 +132,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { ), }, { - Config: testPkiSecretBackendRoleConfig_updated(name, backend), + Config: testPkiSecretBackendRoleConfig_updated(name, backend, legacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "name", name), resource.TestCheckResourceAttr(resourceName, "backend", backend), @@ -146,7 +184,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { }) } -func testPkiSecretBackendRoleConfig_basic(name, path string, roleTTL, maxTTL int) string { +func testPkiSecretBackendRoleConfig_basic(name, path string, roleTTL, maxTTL int, policyIdentifiers string) string { return fmt.Sprintf(` resource "vault_mount" "pki" { path = "%s" @@ -188,15 +226,15 @@ resource "vault_pki_secret_backend_role" "test" { generate_lease = false no_store = false require_cn = true - policy_identifiers = ["1.2.3.4"] + %s basic_constraints_valid_for_non_ca = false not_before_duration = "45m" allowed_serial_numbers = ["*"] } -`, path, name, roleTTL, maxTTL) +`, path, name, roleTTL, maxTTL, policyIdentifiers) } -func testPkiSecretBackendRoleConfig_updated(name, path string) string { +func testPkiSecretBackendRoleConfig_updated(name, path string, policyIdentifiers string) string { return fmt.Sprintf(` resource "vault_mount" "pki" { path = "%s" @@ -240,11 +278,11 @@ resource "vault_pki_secret_backend_role" "test" { generate_lease = false no_store = false require_cn = true - policy_identifiers = ["1.2.3.4"] + %s basic_constraints_valid_for_non_ca = false not_before_duration = "45m" allowed_serial_numbers = ["*"] -}`, path, name) +}`, path, name, policyIdentifiers) } func testPkiSecretBackendRoleCheckDestroy(s *terraform.State) error { diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index abc209f38..544419e37 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -51,7 +51,7 @@ The following arguments are supported: * `allow_localhost` - (Optional) Flag to allow certificates for localhost -* `allowed_domains` - (Optional) List of allowed domains for certificates +* `allowed_domains` - (Optional) List of allowed domains for certificates * `allowed_domains_template` - (Optional) Flag, if set, `allowed_domains` can be specified using identity template expressions such as `{{identity.entity.aliases..name}}`. @@ -79,7 +79,7 @@ The following arguments are supported: * `email_protection_flag` - (Optional) Flag to specify certificates for email protection use -* `key_type` - (Optional) The generated key type, choices: `rsa`, `ec`, `ed25519`, `any` +* `key_type` - (Optional) The generated key type, choices: `rsa`, `ec`, `ed25519`, `any` Defaults to `rsa` * `key_bits` - (Optional) The number of bits of generated keys @@ -112,7 +112,14 @@ The following arguments are supported: * `require_cn` - (Optional) Flag to force CN usage -* `policy_identifiers` - (Optional) Specify the list of allowed policies IODs +* `policy_identifiers` - (Optional) Specify the list of allowed policies OIDs; Deprecated: use `policy_identifier` blocks instead +* `policy_identifier` - (Optional) (Vault 1.11+ only) A block for specifying policy identifers. The `policy_identifier` block can be repeated, and supports the following arguments: + + - `oid` - (Required) The OID for the policy identifier + + - `notice` - (Optional) A notice for the policy identifier + + - `cps` - (Optional) The URL of the CPS for the policy identifier * `basic_constraints_valid_for_non_ca` - (Optional) Flag to mark basic constraints valid when issuing non-CA certificates From 99d35302a97209189f84b0eec12f901ffb1af454 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 9 Jun 2022 10:35:59 -0700 Subject: [PATCH 2/4] Address review comments --- {vault => internal}/pki.go | 49 ++++------ vault/resource_pki_secret_backend_role.go | 38 ++++---- .../resource_pki_secret_backend_role_test.go | 89 ++++++++++++++----- .../docs/r/pki_secret_backend_role.html.md | 5 +- 4 files changed, 112 insertions(+), 69 deletions(-) rename {vault => internal}/pki.go (52%) diff --git a/vault/pki.go b/internal/pki.go similarity index 52% rename from vault/pki.go rename to internal/pki.go index ae1147f0d..93a747c8e 100644 --- a/vault/pki.go +++ b/internal/pki.go @@ -1,54 +1,39 @@ -package vault +package internal import ( "encoding/json" - "log" "strings" - "github.com/hashicorp/terraform-provider-vault/helper" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-provider-vault/helper" ) -// readPolicyIdentifiers converts the `policy_identifiers` list and `policy_identifier` blocks +// ReadPolicyIdentifierBlocks converts the `policy_identifiers` list and `policy_identifier` blocks // into a list of strings (the OIDs) or the JSON serialization of the `policy_identifier` blocks, // respectively. -func readPolicyIdentifiers(d *schema.ResourceData) interface{} { - policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) - policyIdentifierBlocks := d.Get("policy_identifier").(*schema.Set) - policyIdentifiers := make([]string, 0, len(policyIdentifiersList)) +func ReadPolicyIdentifierBlocks(policyIdentifierBlocks *schema.Set) string { + if policyIdentifierBlocks == nil || policyIdentifierBlocks.Len() == 0 { + return "" + } + var newPolicyIdentifiers []map[string]interface{} // If the `policy_identifier` blocks are present, send them as JSON, which is only supported by Vault 1.11+. - if policyIdentifierBlocks != nil && policyIdentifierBlocks.Len() > 0 { - newPolicyIdentifiers = make([]map[string]interface{}, 0, policyIdentifierBlocks.Len()+len(policyIdentifiers)) - for _, iPolicyIdentifier := range policyIdentifierBlocks.List() { - policyIdentifier := iPolicyIdentifier.(map[string]interface{}) - newPolicyIdentifiers = append(newPolicyIdentifiers, policyIdentifier) - } - - if policyIdentifiersList != nil && len(policyIdentifiersList) > 0 { - log.Printf("[WARN] vault_pki_secret_backend_role policy_identifier and policy_identifiers should not both be used; ignoring legacy policy_identifiers") - } - - // we know these maps are safe to marshal - policyIdentifiersJson, _ := json.Marshal(newPolicyIdentifiers) - return string(policyIdentifiersJson) - } else if policyIdentifiersList != nil && len(policyIdentifiersList) > 0 { - for _, iIdentifier := range policyIdentifiersList { - policyIdentifiers = append(policyIdentifiers, iIdentifier.(string)) - } - return policyIdentifiers - } else { - return nil + newPolicyIdentifiers = make([]map[string]interface{}, 0, policyIdentifierBlocks.Len()) + for _, iPolicyIdentifier := range policyIdentifierBlocks.List() { + policyIdentifier := iPolicyIdentifier.(map[string]interface{}) + newPolicyIdentifiers = append(newPolicyIdentifiers, policyIdentifier) } + // we know these maps are safe to marshal + policyIdentifiersJson, _ := json.Marshal(newPolicyIdentifiers) + return string(policyIdentifiersJson) } -// makePkiPolicyIdentifiersListOrSet converts the Vault "policy_identifiers" response +// MakePkiPolicyIdentifiersListOrSet converts the Vault "policy_identifiers" response // into either a list of OIDs, i.e., ["1.2.3","4.5.6"], or a set to represent // `policy_identifier` blocks. We return either of these so that round-tripping is stable, // and to preserve backwards compatibility with previous versions of Vault. -func makePkiPolicyIdentifiersListOrSet(rawPolicyIdentifiers []interface{}) ([]string, *schema.Set, error) { +func MakePkiPolicyIdentifiersListOrSet(rawPolicyIdentifiers []interface{}) ([]string, *schema.Set, error) { policyIdentifiers := make([]string, 0, len(rawPolicyIdentifiers)) newPolicyIdentifiers := schema.NewSet(pkiPolicyIdentifierHash, []interface{}{}) for _, iIdentifier := range rawPolicyIdentifiers { diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index a8ebc81ba..ba3189a08 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -9,7 +9,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" - + "github.com/hashicorp/terraform-provider-vault/internal" "github.com/hashicorp/terraform-provider-vault/internal/provider" ) @@ -283,18 +283,20 @@ func pkiSecretBackendRoleResource() *schema.Resource { Default: true, }, "policy_identifiers": { - Type: schema.TypeList, - Required: false, - Optional: true, - Description: "Specify the list of allowed policies OIDs.", + Type: schema.TypeList, + Required: false, + Optional: true, + Description: "Specify the list of allowed policies OIDs.", + ConflictsWith: []string{"policy_identifier"}, Elem: &schema.Schema{ Type: schema.TypeString, }, }, "policy_identifier": { - Type: schema.TypeSet, - Optional: true, - Description: "Policy identifier block; can only be used with Vault 1.11+", + Type: schema.TypeSet, + Optional: true, + Description: "Policy identifier block; can only be used with Vault 1.11+", + ConflictsWith: []string{"policy_identifiers"}, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "oid": { @@ -381,7 +383,8 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error extKeyUsage = append(extKeyUsage, iUsage.(string)) } - policyIdentifiers := readPolicyIdentifiers(d) + policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) + policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) @@ -436,8 +439,10 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error data["ext_key_usage"] = extKeyUsage } - if policyIdentifiers != nil { - data["policy_identifiers"] = policyIdentifiers + if len(policyIdentifiersList) > 0 { + data["policy_identifiers"] = policyIdentifiersList + } else if policyIdentifierBlocks != "" { + data["policy_identifiers"] = policyIdentifierBlocks } if len(allowedSerialNumbers) > 0 { @@ -511,7 +516,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { extKeyUsage = append(extKeyUsage, iUsage.(string)) } - legacyPolicyIdentifiers, newPolicyIdentifiers, err := makePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) + legacyPolicyIdentifiers, newPolicyIdentifiers, err := internal.MakePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) if err != nil { return err } @@ -598,7 +603,8 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error extKeyUsage = append(extKeyUsage, iUsage.(string)) } - policyIdentifiers := readPolicyIdentifiers(d) + policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) + policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) @@ -653,8 +659,10 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error data["ext_key_usage"] = extKeyUsage } - if policyIdentifiers != nil { - data["policy_identifiers"] = policyIdentifiers + if len(policyIdentifiersList) > 0 { + data["policy_identifiers"] = policyIdentifiersList + } else if policyIdentifierBlocks != "" { + data["policy_identifiers"] = policyIdentifierBlocks } if len(allowedSerialNumbers) > 0 { diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index bd9e7bfc7..ec459c90b 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -7,13 +7,16 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/testutil" ) -var legacyPolicyIdentifiers = `policy_identifiers = ["1.2.3.4"]` -var newPolicyIdentifiers = `policy_identifier { +var testLegacyPolicyIdentifiers = `policy_identifiers = ["1.2.3.4"]` + +func TestPkiSecretBackendRole_policy_identifier(t *testing.T) { + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) + // TODO: this can be merged with TestPkiSecretBackendRole_basic after Vault 1.11 is released. + newPolicyIdentifiers := `policy_identifier { oid = "1.2.3.4.5" cps = "https://example.com/cps" notice = "Some notice" @@ -21,9 +24,7 @@ var newPolicyIdentifiers = `policy_identifier { policy_identifier { oid = "1.2.3.4.5.6" }` -var mixedPolicyIdentifiers = legacyPolicyIdentifiers + "\n " + newPolicyIdentifiers -func TestPkiSecretBackendRole_basic(t *testing.T) { backend := acctest.RandomWithPrefix("pki") name := acctest.RandomWithPrefix("role") resourceName := "vault_pki_secret_backend_role.test" @@ -76,7 +77,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { CheckDestroy: testPkiSecretBackendRoleCheckDestroy, Steps: []resource.TestStep{ { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, legacyPolicyIdentifiers), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), @@ -94,18 +95,66 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { )..., ), }, + }, + }) +} + +func TestPkiSecretBackendRole_basic(t *testing.T) { + backend := acctest.RandomWithPrefix("pki") + name := acctest.RandomWithPrefix("role") + resourceName := "vault_pki_secret_backend_role.test" + + checks := []resource.TestCheckFunc{ + resource.TestCheckResourceAttr(resourceName, "name", name), + resource.TestCheckResourceAttr(resourceName, "backend", backend), + resource.TestCheckResourceAttr(resourceName, "allow_localhost", "true"), + resource.TestCheckResourceAttr(resourceName, "allowed_domains.#", "1"), + resource.TestCheckResourceAttr(resourceName, "allowed_domains.0", "test.domain"), + resource.TestCheckResourceAttr(resourceName, "allow_bare_domains", "false"), + resource.TestCheckResourceAttr(resourceName, "allow_subdomains", "true"), + resource.TestCheckResourceAttr(resourceName, "allow_glob_domains", "false"), + resource.TestCheckResourceAttr(resourceName, "allow_any_name", "false"), + resource.TestCheckResourceAttr(resourceName, "enforce_hostnames", "true"), + resource.TestCheckResourceAttr(resourceName, "allow_ip_sans", "true"), + resource.TestCheckResourceAttr(resourceName, "allowed_uri_sans.0", "uri.test.domain"), + resource.TestCheckResourceAttr(resourceName, "allowed_other_sans.0", "1.2.3.4.5.5;UTF8:test"), + resource.TestCheckResourceAttr(resourceName, "server_flag", "true"), + resource.TestCheckResourceAttr(resourceName, "client_flag", "true"), + resource.TestCheckResourceAttr(resourceName, "code_signing_flag", "false"), + resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"), + resource.TestCheckResourceAttr(resourceName, "key_type", "rsa"), + resource.TestCheckResourceAttr(resourceName, "key_bits", "2048"), + resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"), + resource.TestCheckResourceAttr(resourceName, "email_protection_flag", "false"), + resource.TestCheckResourceAttr(resourceName, "key_usage.#", "3"), + resource.TestCheckResourceAttr(resourceName, "key_usage.0", "DigitalSignature"), + resource.TestCheckResourceAttr(resourceName, "key_usage.1", "KeyAgreement"), + resource.TestCheckResourceAttr(resourceName, "key_usage.2", "KeyEncipherment"), + resource.TestCheckResourceAttr(resourceName, "ext_key_usage.#", "0"), + resource.TestCheckResourceAttr(resourceName, "use_csr_common_name", "true"), + resource.TestCheckResourceAttr(resourceName, "use_csr_sans", "true"), + resource.TestCheckResourceAttr(resourceName, "ou.0", "test"), + resource.TestCheckResourceAttr(resourceName, "organization.0", "test"), + resource.TestCheckResourceAttr(resourceName, "country.0", "test"), + resource.TestCheckResourceAttr(resourceName, "locality.0", "test"), + resource.TestCheckResourceAttr(resourceName, "province.0", "test"), + resource.TestCheckResourceAttr(resourceName, "street_address.0", "123 test"), + resource.TestCheckResourceAttr(resourceName, "postal_code.0", "12345"), + resource.TestCheckResourceAttr(resourceName, "generate_lease", "false"), + resource.TestCheckResourceAttr(resourceName, "no_store", "false"), + resource.TestCheckResourceAttr(resourceName, "require_cn", "true"), + resource.TestCheckResourceAttr(resourceName, "basic_constraints_valid_for_non_ca", "false"), + resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), + resource.TestCheckResourceAttr(resourceName, "policy_identifiers.#", "1"), + resource.TestCheckResourceAttr(resourceName, "policy_identifiers.0", "1.2.3.4"), + } + resource.Test(t, resource.TestCase{ + Providers: testProviders, + PreCheck: func() { testutil.TestAccPreCheck(t) }, + CheckDestroy: testPkiSecretBackendRoleCheckDestroy, + Steps: []resource.TestStep{ { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, mixedPolicyIdentifiers), - Check: resource.ComposeTestCheckFunc( - append(checks, - resource.TestCheckResourceAttr(resourceName, "policy_identifier.#", "2"), - resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5", "cps": "https://example.com/cps", "notice": "Some notice"}), - resource.TestCheckTypeSetElemNestedAttrs(resourceName, "policy_identifier.*", map[string]string{"oid": "1.2.3.4.5.6"}), - )..., - ), - }, - { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, legacyPolicyIdentifiers), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "ttl", "3600"), @@ -114,7 +163,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { ), }, { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0, legacyPolicyIdentifiers), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "ttl", "0"), @@ -123,7 +172,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { ), }, { - Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, legacyPolicyIdentifiers), + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( append(checks, resource.TestCheckResourceAttr(resourceName, "ttl", "3600"), @@ -132,7 +181,7 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { ), }, { - Config: testPkiSecretBackendRoleConfig_updated(name, backend, legacyPolicyIdentifiers), + Config: testPkiSecretBackendRoleConfig_updated(name, backend, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "name", name), resource.TestCheckResourceAttr(resourceName, "backend", backend), diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index 544419e37..c5de67cf9 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -79,7 +79,7 @@ The following arguments are supported: * `email_protection_flag` - (Optional) Flag to specify certificates for email protection use -* `key_type` - (Optional) The generated key type, choices: `rsa`, `ec`, `ed25519`, `any` +* `key_type` - (Optional) The generated key type, choices: `rsa`, `ec`, `ed25519`, `any` Defaults to `rsa` * `key_bits` - (Optional) The number of bits of generated keys @@ -112,7 +112,8 @@ The following arguments are supported: * `require_cn` - (Optional) Flag to force CN usage -* `policy_identifiers` - (Optional) Specify the list of allowed policies OIDs; Deprecated: use `policy_identifier` blocks instead +* `policy_identifiers` - (Optional) Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use `policy_identifier` blocks instead + * `policy_identifier` - (Optional) (Vault 1.11+ only) A block for specifying policy identifers. The `policy_identifier` block can be repeated, and supports the following arguments: - `oid` - (Required) The OID for the policy identifier From cfd52c9e9c7f697a18c8d65304a6c7bf053353ed Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 9 Jun 2022 14:57:24 -0700 Subject: [PATCH 3/4] Rename internal/pki.go to internal/pki/policy_identifier.go --- internal/{pki.go => pki/policy_identifier.go} | 2 +- vault/resource_pki_secret_backend_role.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) rename internal/{pki.go => pki/policy_identifier.go} (99%) diff --git a/internal/pki.go b/internal/pki/policy_identifier.go similarity index 99% rename from internal/pki.go rename to internal/pki/policy_identifier.go index 93a747c8e..f2718d6b8 100644 --- a/internal/pki.go +++ b/internal/pki/policy_identifier.go @@ -1,4 +1,4 @@ -package internal +package pki import ( "encoding/json" diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index ba3189a08..fe4256a28 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -9,7 +9,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" - "github.com/hashicorp/terraform-provider-vault/internal" + "github.com/hashicorp/terraform-provider-vault/internal/pki" "github.com/hashicorp/terraform-provider-vault/internal/provider" ) @@ -384,7 +384,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error } policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) - policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) + policyIdentifierBlocks := pki.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) @@ -516,7 +516,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { extKeyUsage = append(extKeyUsage, iUsage.(string)) } - legacyPolicyIdentifiers, newPolicyIdentifiers, err := internal.MakePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) + legacyPolicyIdentifiers, newPolicyIdentifiers, err := pki.MakePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) if err != nil { return err } @@ -604,7 +604,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error } policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) - policyIdentifierBlocks := internal.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) + policyIdentifierBlocks := pki.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) From 5c4d3a78e7f62d44c92648fa996396d73fb6b0f2 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Thu, 9 Jun 2022 16:04:05 -0700 Subject: [PATCH 4/4] Address review comments --- vault/resource_pki_secret_backend_role.go | 35 ++++++++------- .../resource_pki_secret_backend_role_test.go | 44 +++++++++++++++++++ .../docs/r/pki_secret_backend_role.html.md | 32 ++++++++++++++ 3 files changed, 94 insertions(+), 17 deletions(-) diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go index fe4256a28..89cda2606 100644 --- a/vault/resource_pki_secret_backend_role.go +++ b/vault/resource_pki_secret_backend_role.go @@ -383,9 +383,6 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error extKeyUsage = append(extKeyUsage, iUsage.(string)) } - policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) - policyIdentifierBlocks := pki.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) - iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) for _, iSerialNumber := range iAllowedSerialNumbers { @@ -439,10 +436,10 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error data["ext_key_usage"] = extKeyUsage } - if len(policyIdentifiersList) > 0 { - data["policy_identifiers"] = policyIdentifiersList - } else if policyIdentifierBlocks != "" { - data["policy_identifiers"] = policyIdentifierBlocks + if policyIdentifiers, ok := d.GetOk("policy_identifiers"); ok { + data["policy_identifiers"] = policyIdentifiers + } else if policyIdentifierBlocksRaw, ok := d.GetOk("policy_identifier"); ok { + data["policy_identifiers"] = pki.ReadPolicyIdentifierBlocks(policyIdentifierBlocksRaw.(*schema.Set)) } if len(allowedSerialNumbers) > 0 { @@ -516,9 +513,16 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { extKeyUsage = append(extKeyUsage, iUsage.(string)) } - legacyPolicyIdentifiers, newPolicyIdentifiers, err := pki.MakePkiPolicyIdentifiersListOrSet(secret.Data["policy_identifiers"].([]interface{})) - if err != nil { - return err + var legacyPolicyIdentifiers []string = nil + var newPolicyIdentifiers *schema.Set = nil + if policyIdentifiersRaw, ok := secret.Data["policy_identifiers"]; ok { + if policyIdentifiersRawList, ok := policyIdentifiersRaw.([]interface{}); ok { + var err error + legacyPolicyIdentifiers, newPolicyIdentifiers, err = pki.MakePkiPolicyIdentifiersListOrSet(policyIdentifiersRawList) + if err != nil { + return err + } + } } notBeforeDuration := flattenVaultDuration(secret.Data["not_before_duration"]) @@ -603,9 +607,6 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error extKeyUsage = append(extKeyUsage, iUsage.(string)) } - policyIdentifiersList := d.Get("policy_identifiers").([]interface{}) - policyIdentifierBlocks := pki.ReadPolicyIdentifierBlocks(d.Get("policy_identifier").(*schema.Set)) - iAllowedSerialNumbers := d.Get("allowed_serial_numbers").([]interface{}) allowedSerialNumbers := make([]string, 0, len(iAllowedSerialNumbers)) for _, iSerialNumber := range iAllowedSerialNumbers { @@ -659,10 +660,10 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error data["ext_key_usage"] = extKeyUsage } - if len(policyIdentifiersList) > 0 { - data["policy_identifiers"] = policyIdentifiersList - } else if policyIdentifierBlocks != "" { - data["policy_identifiers"] = policyIdentifierBlocks + if policyIdentifiers, ok := d.GetOk("policy_identifiers"); ok { + data["policy_identifiers"] = policyIdentifiers + } else if policyIdentifierBlocksRaw, ok := d.GetOk("policy_identifier"); ok { + data["policy_identifiers"] = pki.ReadPolicyIdentifierBlocks(policyIdentifierBlocksRaw.(*schema.Set)) } if len(allowedSerialNumbers) > 0 { diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go index ec459c90b..6178495f6 100644 --- a/vault/resource_pki_secret_backend_role_test.go +++ b/vault/resource_pki_secret_backend_role_test.go @@ -2,6 +2,7 @@ package vault import ( "fmt" + "regexp" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" @@ -24,6 +25,7 @@ func TestPkiSecretBackendRole_policy_identifier(t *testing.T) { policy_identifier { oid = "1.2.3.4.5.6" }` + combinedPolicyIdentifiers := testLegacyPolicyIdentifiers + "\n " + newPolicyIdentifiers backend := acctest.RandomWithPrefix("pki") name := acctest.RandomWithPrefix("role") @@ -85,6 +87,11 @@ func TestPkiSecretBackendRole_policy_identifier(t *testing.T) { )..., ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, { Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, newPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( @@ -95,6 +102,23 @@ func TestPkiSecretBackendRole_policy_identifier(t *testing.T) { )..., ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) + + resource.Test(t, resource.TestCase{ + Providers: testProviders, + PreCheck: func() { testutil.TestAccPreCheck(t) }, + CheckDestroy: testPkiSecretBackendRoleCheckDestroy, + Steps: []resource.TestStep{ + { + Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, combinedPolicyIdentifiers), + ExpectError: regexp.MustCompile(".*Conflicting configuration arguments.*"), + }, }, }) } @@ -162,6 +186,11 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { )..., ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, { Config: testPkiSecretBackendRoleConfig_basic(name, backend, 0, 0, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( @@ -171,6 +200,11 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { )..., ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, { Config: testPkiSecretBackendRoleConfig_basic(name, backend, 3600, 7200, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( @@ -180,6 +214,11 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { )..., ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, { Config: testPkiSecretBackendRoleConfig_updated(name, backend, testLegacyPolicyIdentifiers), Check: resource.ComposeTestCheckFunc( @@ -229,6 +268,11 @@ func TestPkiSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "not_before_duration", "45m"), ), }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, }, }) } diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md index c5de67cf9..030144213 100644 --- a/website/docs/r/pki_secret_backend_role.html.md +++ b/website/docs/r/pki_secret_backend_role.html.md @@ -122,6 +122,38 @@ The following arguments are supported: - `cps` - (Optional) The URL of the CPS for the policy identifier + Example usage: +```hcl +resource "vault_mount" "pki" { + path = "pki" + type = "pki" + default_lease_ttl_seconds = 3600 + max_lease_ttl_seconds = 86400 +} + +resource "vault_pki_secret_backend_role" "role" { + backend = vault_mount.pki.path + name = "my_role" + ttl = 3600 + allow_ip_sans = true + key_type = "rsa" + key_bits = 4096 + allowed_domains = ["example.com", "my.domain"] + allow_subdomains = true + + policy_identifier { + oid = "1.3.6.1.4.1.7.8" + notice= "I am a user Notice" + } + policy_identifier { + oid = "1.3.6.1.4.1.44947.1.2.4" + cps ="https://example.com" + } +} +``` + + + * `basic_constraints_valid_for_non_ca` - (Optional) Flag to mark basic constraints valid when issuing non-CA certificates * `not_before_duration` - (Optional) Specifies the duration by which to backdate the NotBefore property.